Updated security/* articles to Symfony 4

security/access_control.rst

@@ -33,7 +33,7 @@ Take the following ``access_control`` entries as an example:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
             access_control:
@@ -44,7 +44,7 @@ Take the following ``access_control`` entries as an example:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -171,7 +171,7 @@ pattern so that it is only accessible by requests from the local server itself:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
             access_control:
@@ -181,7 +181,7 @@ pattern so that it is only accessible by requests from the local server itself:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -252,7 +252,7 @@ key:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
             access_control:
@@ -300,15 +300,15 @@ the user will be redirected to ``https``:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
             access_control:
                 - { path: ^/cart/checkout, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/access_denied_handler.rst

@@ -38,7 +38,7 @@ configure it under your firewall:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         firewalls:
             # ...
 
@@ -48,6 +48,7 @@ configure it under your firewall:
 
     .. code-block:: xml
 
+        <!-- config/packages/security.xml -->
         <config>
             <firewall name="main">
                 <access_denied_handler>App\Security\AccessDeniedHandler</access_denied_handler>

security/api_key_authentication.rst

@@ -211,7 +211,7 @@ The ``$userProvider`` might look something like this::
 Next, make sure this class is registered as a service. If you're using the
 :ref:`default services.yaml configuration <service-container-services-load-example>`,
 that happens automatically. A little later, you'll reference this service in
-your :ref:`security.yml configuration <security-api-key-config>`.
+your :ref:`security.yaml configuration <security-api-key-config>`.
 
 .. note::
 
@@ -292,7 +292,7 @@ and ``provider`` keys:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -310,7 +310,7 @@ and ``provider`` keys:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -364,7 +364,7 @@ If you have defined ``access_control``, make sure to add a new entry:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -373,7 +373,7 @@ If you have defined ``access_control``, make sure to add a new entry:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -423,7 +423,7 @@ configuration or set it to ``false``:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -435,7 +435,7 @@ configuration or set it to ``false``:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/csrf_in_login_form.rst

@@ -23,14 +23,14 @@ file:
 
     .. code-block:: yaml
 
-        # app/config/config.yml
+        # config/packages/framework.yaml
         framework:
             # ...
-            csrf_protection: ~
+            csrf_protection: { enabled: true }
 
     .. code-block:: xml
 
-        <!-- app/config/config.xml -->
+        <!-- config/packages/framework.xml -->
         <?xml version="1.0" encoding="UTF-8" ?>
         <container xmlns="http://symfony.com/schema/dic/services"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -47,7 +47,7 @@ file:
 
     .. code-block:: php
 
-        // app/config/config.php
+        // config/packages/framework.php
         $container->loadFromExtension('framework', array(
             'csrf_protection' => null,
         ));
@@ -59,7 +59,7 @@ use the default provider available in the security component:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -72,7 +72,7 @@ use the default provider available in the security component:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8" ?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -171,7 +171,7 @@ After this, you have protected your login form against CSRF attacks.
 
         .. code-block:: yaml
 
-            # app/config/security.yml
+            # config/packages/security.yaml
             security:
                 # ...
 
@@ -185,7 +185,7 @@ After this, you have protected your login form against CSRF attacks.
 
         .. code-block:: xml
 
-            <!-- app/config/security.xml -->
+            <!-- config/packages/security.xml -->
             <?xml version="1.0" encoding="UTF-8" ?>
             <srv:container xmlns="http://symfony.com/schema/dic/security"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/custom_authentication_provider.rst

@@ -255,13 +255,13 @@ the ``PasswordDigest`` header value matches with the user's password::
 
             // Try to fetch the cache item from pool
             $cacheItem = $this->cachePool->getItem(md5($nonce));
-            
+
             // Validate that the nonce is *not* in cache
             // if it is, this could be a replay attack
             if ($cacheItem->isHit()) {
                 throw new NonceExpiredException('Previously used nonce detected');
             }
-            
+
             // Store the item in cache for 5 minutes
             $cacheItem->set(null)->expiresAfter(300);
             $this->cachePool->save($cacheItem);

security/custom_password_authenticator.rst

@@ -131,10 +131,10 @@ inside of it.
 
 Inside this method, the password encoder is needed to check the password's validity::
 
-        $passwordValid = $this->encoder->isPasswordValid($user, $token->getCredentials());
+    $passwordValid = $this->encoder->isPasswordValid($user, $token->getCredentials());
 
 This is a service that is already available in Symfony and it uses the password algorithm
-that is configured in the security configuration (e.g. ``security.yml``) under
+that is configured in the security configuration (e.g. ``security.yaml``) under
 the ``encoders`` key. Below, you'll see how to inject that into the ``TimeAuthenticator``.
 
 .. _security-password-authenticator-config:
@@ -153,7 +153,7 @@ using the ``simple_form`` key:
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -168,7 +168,7 @@ using the ``simple_form`` key:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/custom_provider.rst

@@ -9,7 +9,7 @@ When a user submits a username and password, the authentication layer asks
 the configured user provider to return a user object for a given username.
 Symfony then checks whether the password of this user is correct and generates
 a security token so the user stays authenticated during the current session.
-Out of the box, Symfony has four user providers: ``memory``, ``entity``, 
+Out of the box, Symfony has four user providers: ``memory``, ``entity``,
 ``ldap`` and ``chain``. In this entry you'll see how you can create your
 own user provider, which could be useful if your users are accessed via a
 custom database, a file, or - as shown in this example - a web service.
@@ -174,18 +174,18 @@ Now you make the user provider available as a service. If you're using the
 :ref:`default services.yaml configuration <service-container-services-load-example>`,
 this happens automatically.
 
-Modify ``security.yml``
------------------------
+Modify ``security.yaml``
+------------------------
 
 Everything comes together in your security configuration. Add the user provider
-to the list of providers in the "security" section. Choose a name for the user provider
+to the list of providers in the "security" config. Choose a name for the user provider
 (e.g. "webservice") and mention the ``id`` of the service you just defined.
 
 .. configuration-block::
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -195,7 +195,7 @@ to the list of providers in the "security" section. Choose a name for the user p
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -233,7 +233,7 @@ users, e.g. by filling in a login form. You can do this by adding a line to the
 
     .. code-block:: yaml
 
-        # app/config/security.yml
+        # config/packages/security.yaml
         security:
             # ...
 
@@ -242,7 +242,7 @@ users, e.g. by filling in a login form. You can do this by adding a line to the
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -282,7 +282,7 @@ is compared to the hashed password returned by your ``getPassword()`` method.
     Symfony uses a specific method to combine the salt and encode the password
     before comparing it to your encoded password. If ``getSalt()`` returns
     nothing, then the submitted password is simply encoded using the algorithm
-    you specify in ``security.yml``. If a salt *is* specified, then the following
+    you specify in ``security.yaml``. If a salt *is* specified, then the following
     value is created and *then* hashed via the algorithm::
 
         $password.'{'.$salt.'}'
@@ -301,7 +301,7 @@ is compared to the hashed password returned by your ``getPassword()`` method.
 
         .. code-block:: yaml
 
-            # app/config/security.yml
+            # config/packages/security.yaml
             security:
                 # ...
 
@@ -312,7 +312,7 @@ is compared to the hashed password returned by your ``getPassword()`` method.
 
         .. code-block:: xml
 
-            <!-- app/config/security.xml -->
+            <!-- config/packages/security.xml -->
             <?xml version="1.0" encoding="UTF-8"?>
             <srv:container xmlns="http://symfony.com/schema/dic/security"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/entity_provider.rst

@@ -24,7 +24,7 @@ Introduction
 Loading users via a Doctrine entity has 2 basic steps:
 
 #. :ref:`Create your User entity <security-crete-user-entity>`
-#. :ref:`Configure security.yml to load from your entity <security-config-entity-provider>`
+#. :ref:`Configure security.yaml to load from your entity <security-config-entity-provider>`
 
 Afterwards, you can learn more about :ref:`forbidding inactive users <security-advanced-user-interface>`,
 :ref:`using a custom query <authenticating-someone-with-a-custom-entity-provider>`
@@ -189,7 +189,7 @@ Want to know more? See :ref:`security-serialize-equatable`.
 ----------------------------------------------
 
 Now that you have a ``User`` entity that implements ``UserInterface``, you
-just need to tell Symfony's security system about it in ``security.yml``.
+just need to tell Symfony's security system about it in ``security.yaml``.
 
 In this example, the user will enter their username and password via HTTP
 basic authentication. Symfony will query for a ``User`` entity matching
@@ -452,7 +452,7 @@ interface only requires one method: ``loadUserByUsername($username)``::
     :doc:`mapping definition of your entity </doctrine/repository>`.
 
 To finish this, just remove the ``property`` key from the user provider in
-``security.yml``:
+``security.yaml``:
 
 .. configuration-block::